Bug 1598581 (CVE-2018-10892)
| Summary: | CVE-2018-10892 docker: container breakout without selinux in enforcing mode | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, adimania, admiller, ahardin, amurdaca, andreas.bierfert, bbaude, bleanhar, ccoleman, dbaker, ddarrah, dedgar, dominik.mierzejewski, dornelas, dwalsh, gmollett, ichavero, jcajka, jchaloup, jgoulding, jligon, jnovy, jokerman, jshepherd, lsm5, lsu, marianne, mchappel, mheon, nalin, santiago, sthangav, trankin, tsweeney, umohnani, vbatts |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
The default OCI Linux spec in oci/defaults{_linux}.go in Docker/Moby, from 1.11 to current, does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling Bluetooth or turning up/down keyboard brightness.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:32:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1598582, 1598583, 1598584, 1598585, 1598630, 1599130, 1599131, 1599132, 1599133, 1599134, 1599135 | ||
| Bug Blocks: | 1598588 | ||
Created docker tracking bugs for this issue: Affects: epel-6 [bug 1598585] Affects: fedora-all [bug 1598583] Created docker-latest tracking bugs for this issue: Affects: fedora-all [bug 1598582] I already have a fix for upstream and downstream docker. Acknowledgments: Name: Antonio Murdaca (Red Hat) Upstream fix is here https://github.com/moby/moby/pull/37404 Our projectatomoic/docker downstream fork has been fixed as well. The tracking and other problems surrounding this issue are entirely my fault. I thought of this more as an OCI/compliance issue and directly went against Red Hat policy on upstream disclosure. It was my *wrong* call. If there's any remaining loose ends from that fallout, please let me know. I think we are tracking correctly now (special thanks to everyone who got cri-o marked affected especially). Like I said: if anything else has fallen between the cracks, let me know so I can get some grout. _Trevor Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 1599131] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1599130] Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 1599135] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1599134] Is it too late to fix a typo? Should be "default" (In reply to Ed Santiago from comment #17) > Is it too late to fix a typo? Should be "default" Nope, thanks for pointing out. Maxim, typo fixed in Doc Text 'cause' field. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2018:2482 https://access.redhat.com/errata/RHSA-2018:2482 |
The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.